This website uses cookies to give you the best user experience, for analytics, and improvement of functionalities of this website and third party sites. You can learn more about our use of cookies and similar technologies and your choices by reviewing our Cookies Policy. By clicking "I agree" you agree to our use of cookies and similar technologies.

The Netherlands is the sixth largest economy in the European Union and a global financial center. Due to its business-friendly climate and favorable tax regime, the Netherlands is an attractive location for corporate headquarters and for structuring international transactions.

After years of discussions, the General Data Protection Regulation (the GDPR), has finally been adopted and is due to come into effect 25 May 2018. The GDPR will replace the current Data Protection Directive and will be directly applicable in all EU member states.

Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 145 locations serving 60-plus countries.

GDPR Update: Rights of the data subjects (information notices)

GDPR Update: Rights of the data subjects (information notices)

May 16, 2017

Introduction

In this fifth update we discuss the (new) obligations on the provision of information to data subjects under the General Data Protection Regulation (the GDPR). In the subsequent two updates we will address the other data subjects’ rights (such as the right to access, rectification and erasure).

One of the core principles of the GDPR is that controllers must be transparent to the data subjects that personal data concerning them is collected, used, consulted or otherwise processed and to what extent such personal data is or will be processed. This principle of transparency requires that any information and communication relating to the processing of personal data must be easily accessible and that clear and plain language is used.

In this respect the GDPR substantially extends the number of categories of information to be provided to data subjects.

Transparency

Under the GDPR, organisations that process personal data must provide the information listed below in a concise, transparent, intelligible and easily accessible form, using clear and plain language (in particular where the data subjects include children). Where appropriate visualisations may be used (e.g. standardised icons).

In principle the information must be provided in writing (e.g. via a privacy policy) and where appropriate by electronic means (for example through a website).

Information to be provided when personal data are collected from the data subject

If personal data is collected directly from the data subject, the controller must provide the following information to the data subject:

its identity and contact details (and if applicable of its representative);

contact details of the data protection officer, if applicable;

purposes of and legal basis for the processing of personal data, including the legitimate interests pursued by the controller if the processing is based on the legal basis “necessary for the purposes of the legitimate interests pursued by the controller”;

recipients or categories of recipients;

details of data transfer outside the EU, including how the data will be protected (e.g. the use of EU Model Clauses or Binding Corporate Rules) and how the data subjects can obtain a copy of the implemented safeguards;

retention period for the personal data, or if that is not possible the criteria used to determine the retention period (e.g. 1 year after the end of the contractual relationship);

that the data subject has a right to access and rectify its personal data, to object to or request erasure or restriction of the processing, and to data portability;

where the processing is based on consent, that the data subject has a right to withdraw its consent for the processing at any time;

that the data subject can lodge a complaint with a supervisory authority;

whether there is a statutory or contractual requirement to provide the data or if the provision of data is necessary to enter into a contract, whether the data subject is obliged to provide data, and the consequences if the data is not provided; and

whether there will be any automated decision taking, together with information about the logic involved and the significance and consequences for the data subject.

The information should be given to the data subject at the time of collection from the data subject.

Information to be provided when personal data are not collected directly from the data subject

In addition to the above information, the controller must also provide the following information, if the personal data are not collected directly from the data subject:

the categories of personal data concerned; and

from which source the personal data originates, and if applicable whether it came from publicly accessible sources.

The information must be given to the data subject:

within a reasonable period of having obtained the personal data (maximum one month);

if the data is to be used to communicate with the data subject, at the latest when the first communication takes place; or

if disclosure to another recipient is envisaged, at the latest, before the personal data is disclosed.

Further processing

If the controller envisages to further process personal data for a purpose other than the purposes for which the personal data is initially collected, the controller must provide the data subject information on such purpose(s) together with any other relevant information, prior to the further processing.

Exceptions

If personal data is collected directly from the data subject, the information obligations do not apply if the data subject already has the information (information only has to be provided once).

If personal data is not collected directly from the data subject, the information obligations do not apply if:

the data subject already has the information;

the provision of information is impossible or requires a disproportionate effort, provided that the controller takes appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including by making the information publicly available;

if there is an EU or Member State law obligation to obtain/disclose the personal data and which provides appropriate measure to protect the data subject’s legitimate interests; or

if the personal data must remain confidential pursuant to an obligation of professional secrecy regulated by EU or Member State law (e.g. legal or physician-patient privilege).

Practical recommendations

The GDPR will substantially affect the existing information obligation of data controllers, and we therefore recommend organisations to analyse their processing activities and update their existing (privacy) policies, notices, (employee) handbooks, etcetera to meet the information obligations under the GDPR. Further, organisations that process personal data that are not collected directly from the data subjects should ensure that the information is provided at the appropriate time.

Leaving Site

Disclaimer

Unsolicited emails and other information sent to Dentons will not be considered confidential, may be disclosed to others, may not receive a response, and do not create a lawyer-client relationship. If you are not already a client of Dentons, please do not send us any confidential information.